MFC-ing TCP timer race condition fix
Julien Charbon
jch at freebsd.org
Tue May 5 16:15:30 UTC 2015
(Same exact email but with a meaningful topic this time...)
Hi list,
I was asked if it is possible to MFC r281599 in FreeBSD 10:
---
Fix an old and well-documented use-after-free race condition in
TCP timers:
- Add a reference from tcpcb to its inpcb
- Defer tcpcb deletion until TCP timers have finished
---
https://svnweb.freebsd.org/base?view=revision&revision=281599
First, I thought it was no possible as it touches struct
tcp_timer/struct tcpcb_mem. Second, John pointed me that these two
structures are used only internally. The only side effect I was able to
find is the increase of struct tcpcb_mem size:
- stable/10: struct tcpcb_mem size is 1024 bytes
- stable/10 + tcp timer change: struct tcpcb_mem size is 1032 bytes
- currently in head: struct tcpcb_mem size is 1048 bytes
If you have extra concerns on MFC-ing this change please scream.
Without nice yelps I plan to "MFC after: 1 month" (around May 16th).
Thanks.
--
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150505/d16b6ece/attachment.sig>
More information about the freebsd-net
mailing list